From 06fdd5753dc3faafac3942d7d422b2092049042d Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 29 Jan 2019 11:57:41 +0100
Subject: [PATCH] 4.9-stable patches

added patches:
	btrfs-dev-replace-go-back-to-suspended-state-if-target-device-is-missing.patch
	btrfs-fix-error-handling-in-btrfs_dev_replace_start.patch
	f2fs-read-page-index-before-freeing.patch
---
 ...ed-state-if-target-device-is-missing.patch | 40 ++++++++++++
 ...-handling-in-btrfs_dev_replace_start.patch | 62 +++++++++++++++++++
 .../f2fs-read-page-index-before-freeing.patch | 47 ++++++++++++++
 queue-4.9/series                              |  3 +
 4 files changed, 152 insertions(+)
 create mode 100644 queue-4.9/btrfs-dev-replace-go-back-to-suspended-state-if-target-device-is-missing.patch
 create mode 100644 queue-4.9/btrfs-fix-error-handling-in-btrfs_dev_replace_start.patch
 create mode 100644 queue-4.9/f2fs-read-page-index-before-freeing.patch

diff --git a/queue-4.9/btrfs-dev-replace-go-back-to-suspended-state-if-target-device-is-missing.patch b/queue-4.9/btrfs-dev-replace-go-back-to-suspended-state-if-target-device-is-missing.patch
new file mode 100644
index 00000000000..02c636636d2
--- /dev/null
+++ b/queue-4.9/btrfs-dev-replace-go-back-to-suspended-state-if-target-device-is-missing.patch
@@ -0,0 +1,40 @@
+From 0d228ece59a35a9b9e8ff0d40653234a6d90f61e Mon Sep 17 00:00:00 2001
+From: Anand Jain <anand.jain@oracle.com>
+Date: Sun, 11 Nov 2018 22:22:17 +0800
+Subject: btrfs: dev-replace: go back to suspended state if target device is missing
+
+From: Anand Jain <anand.jain@oracle.com>
+
+commit 0d228ece59a35a9b9e8ff0d40653234a6d90f61e upstream.
+
+At the time of forced unmount we place the running replace to
+BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED state, so when the system comes
+back and expect the target device is missing.
+
+Then let the replace state continue to be in
+BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED state instead of
+BTRFS_IOCTL_DEV_REPLACE_STATE_STARTED as there isn't any matching scrub
+running as part of replace.
+
+Fixes: e93c89c1aaaa ("Btrfs: add new sources for device replace code")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/dev-replace.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -787,6 +787,8 @@ int btrfs_resume_dev_replace_async(struc
+ 			   "cannot continue dev_replace, tgtdev is missing");
+ 		btrfs_info(fs_info,
+ 			   "you may cancel the operation after 'mount -o degraded'");
++		dev_replace->replace_state =
++					BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED;
+ 		btrfs_dev_replace_unlock(dev_replace, 1);
+ 		return 0;
+ 	}
diff --git a/queue-4.9/btrfs-fix-error-handling-in-btrfs_dev_replace_start.patch b/queue-4.9/btrfs-fix-error-handling-in-btrfs_dev_replace_start.patch
new file mode 100644
index 00000000000..ee138a17920
--- /dev/null
+++ b/queue-4.9/btrfs-fix-error-handling-in-btrfs_dev_replace_start.patch
@@ -0,0 +1,62 @@
+From 5c06147128fbbdf7a84232c5f0d808f53153defe Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Thu, 6 Sep 2018 15:52:17 -0400
+Subject: btrfs: fix error handling in btrfs_dev_replace_start
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit 5c06147128fbbdf7a84232c5f0d808f53153defe upstream.
+
+When we fail to start a transaction in btrfs_dev_replace_start, we leave
+dev_replace->replace_start set to STARTED but clear ->srcdev and
+->tgtdev.  Later, that can result in an Oops in
+btrfs_dev_replace_progress when having state set to STARTED or SUSPENDED
+implies that ->srcdev is valid.
+
+Also fix error handling when the state is already STARTED or SUSPENDED
+while starting.  That, too, will clear ->srcdev and ->tgtdev even though
+it doesn't own them.  This should be an impossible case to hit since we
+should be protected by the BTRFS_FS_EXCL_OP bit being set.  Let's add an
+ASSERT there while we're at it.
+
+Fixes: e93c89c1aaaaa (Btrfs: add new sources for device replace code)
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/dev-replace.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -350,6 +350,7 @@ int btrfs_dev_replace_start(struct btrfs
+ 		break;
+ 	case BTRFS_IOCTL_DEV_REPLACE_STATE_STARTED:
+ 	case BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED:
++		ASSERT(0);
+ 		ret = BTRFS_IOCTL_DEV_REPLACE_RESULT_ALREADY_STARTED;
+ 		goto leave;
+ 	}
+@@ -394,6 +395,10 @@ int btrfs_dev_replace_start(struct btrfs
+ 	if (IS_ERR(trans)) {
+ 		ret = PTR_ERR(trans);
+ 		btrfs_dev_replace_lock(dev_replace, 1);
++		dev_replace->replace_state =
++			BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED;
++		dev_replace->srcdev = NULL;
++		dev_replace->tgtdev = NULL;
+ 		goto leave;
+ 	}
+ 
+@@ -415,8 +420,6 @@ int btrfs_dev_replace_start(struct btrfs
+ 	return ret;
+ 
+ leave:
+-	dev_replace->srcdev = NULL;
+-	dev_replace->tgtdev = NULL;
+ 	btrfs_dev_replace_unlock(dev_replace, 1);
+ 	btrfs_destroy_dev_replace_tgtdev(fs_info, tgt_device);
+ 	return ret;
diff --git a/queue-4.9/f2fs-read-page-index-before-freeing.patch b/queue-4.9/f2fs-read-page-index-before-freeing.patch
new file mode 100644
index 00000000000..977db12224a
--- /dev/null
+++ b/queue-4.9/f2fs-read-page-index-before-freeing.patch
@@ -0,0 +1,47 @@
+From 0ea295dd853e0879a9a30ab61f923c26be35b902 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 22 Nov 2018 18:58:46 +0800
+Subject: f2fs: read page index before freeing
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 0ea295dd853e0879a9a30ab61f923c26be35b902 upstream.
+
+The function truncate_node frees the page with f2fs_put_page. However,
+the page index is read after that. So, the patch reads the index before
+freeing the page.
+
+Fixes: bf39c00a9a7f ("f2fs: drop obsolete node page when it is truncated")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -656,6 +656,7 @@ static void truncate_node(struct dnode_o
+ {
+ 	struct f2fs_sb_info *sbi = F2FS_I_SB(dn->inode);
+ 	struct node_info ni;
++	pgoff_t index;
+ 
+ 	get_node_info(sbi, dn->nid, &ni);
+ 	if (dn->inode->i_blocks == 0) {
+@@ -678,10 +679,11 @@ invalidate:
+ 	clear_node_page_dirty(dn->node_page);
+ 	set_sbi_flag(sbi, SBI_IS_DIRTY);
+ 
++	index = dn->node_page->index;
+ 	f2fs_put_page(dn->node_page, 1);
+ 
+ 	invalidate_mapping_pages(NODE_MAPPING(sbi),
+-			dn->node_page->index, dn->node_page->index);
++			index, index);
+ 
+ 	dn->node_page = NULL;
+ 	trace_f2fs_truncate_node(dn->inode, dn->nid, ni.blk_addr);
diff --git a/queue-4.9/series b/queue-4.9/series
index 13a7abb2a0b..d99cae05017 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -39,3 +39,6 @@ irqchip-gic-v3-its-align-pci-multi-msi-allocation-on-their-size.patch
 s390-smp-fix-calling-smp_call_ipl_cpu-from-ipl-cpu.patch
 nvmet-rdma-add-unlikely-for-response-allocated-check.patch
 nvmet-rdma-fix-null-dereference-under-heavy-load.patch
+f2fs-read-page-index-before-freeing.patch
+btrfs-fix-error-handling-in-btrfs_dev_replace_start.patch
+btrfs-dev-replace-go-back-to-suspended-state-if-target-device-is-missing.patch
-- 
2.47.2